Hi,
Are you talking about clientless WebVPN?
If so, you need to include the ASA outside IP address to the crypto ACL of your VPN.
This is due tot he fact that when you use clientless WebVPN, the ASA will request the CMS page with it's own IP so it won't be tunneled if it is not part of the crypto ACL.
If you are talking about Anyconnect access, I see two possible problems:
1.) "same-security-traffic permit intra-interface" not configured.
This would be needed for the traffic to bounce from the outside interface to the VPN originated on the same interface. If you are able to access your CMS with the VPN client, I guess this is configured since you would also need it.
2.) Anyconnect VPN pool not NAT exempted or not tunneled
Did you setup nat exemption for the pool bound to the Anyconnect clients? If so, is this pool also part of the crypto ACL of your VPN?
Hope this helps.
Regards,
Nicolas